Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 22:26
Static task
static1
Behavioral task
behavioral1
Sample
b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe
Resource
win10v2004-20241007-en
General
-
Target
b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe
-
Size
78KB
-
MD5
c8410b400bb6749891d425553e408d60
-
SHA1
d0833742443c6353faef910a585288e93bdeec99
-
SHA256
b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22
-
SHA512
798164b84064b3c3cca36c89a2cf79dfbecd5e4b66759dbdb3f10bcab4c4021b5d6e2fe78da2033a5938eb7214dbe62ff6e319adba52383cdf9ba35fd65d0c59
-
SSDEEP
1536:XuHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRK9/nM1Gy:XuHFon3xSyRxvY3md+dWWZyRK9/nI
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 1932 tmp9608.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp9608.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9608.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe Token: SeDebugPrivilege 1932 tmp9608.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2372 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 30 PID 2416 wrote to memory of 2372 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 30 PID 2416 wrote to memory of 2372 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 30 PID 2416 wrote to memory of 2372 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 30 PID 2372 wrote to memory of 2552 2372 vbc.exe 32 PID 2372 wrote to memory of 2552 2372 vbc.exe 32 PID 2372 wrote to memory of 2552 2372 vbc.exe 32 PID 2372 wrote to memory of 2552 2372 vbc.exe 32 PID 2416 wrote to memory of 1932 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 33 PID 2416 wrote to memory of 1932 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 33 PID 2416 wrote to memory of 1932 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 33 PID 2416 wrote to memory of 1932 2416 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe"C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\66psrubg.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9770.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc975F.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2552
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD585db9c723e861f7a8e83b3621500a633
SHA126cbaff66fe3ab35eb2883bdca99a65396489414
SHA2562fafa4bde939827db1a5956bffd095295ec9c321dc9cb95131146a3f7bae959f
SHA512e269fe60f4290e90e1ad58818d7bfe4fe7f9418e1a525e41fd0d0c5246b289867acb08a4b827458d4127d2c177d8c06035266626b89c94bb574b364293e60f82
-
Filesize
266B
MD5cab29f22f94f337f1707f20b28369b02
SHA1c5fe5650c07c76c295267562b6083236a89d36d6
SHA256c3d4d4084aeb8c62e69b77db8f69618c1caf033da5e2144ceccb876fb66acdd7
SHA512a4cabea46727aeaae01d33dbd91dd87973034d1c08297ff6fa1befa87e2a5348eee307a625dd9716783c8fc89eaa4ad8718d8dea84956bcd93a2341f3232529a
-
Filesize
1KB
MD5cd91be2740d5bbd06daa4451bf6b5e83
SHA1c4167375cfee30b41c3b02b7be3240f7cd4fa343
SHA2561b65c2531c5bdc7d04ff396601195a4ac952723feb281a12b7546c95a576dae3
SHA512086fe04014910087c58769acfb4da8cd89d9cc236ef4096985512aa09dcb24c3862398fa66b286442c202565004eaa5e7b9e16b77bf2babba8423dadcdf81e58
-
Filesize
78KB
MD5a58806a619e9ed7764389430c43e1e9e
SHA1dc21122b3eb192c0eac1bdb4d7fb6a32205f3732
SHA2567c194b89ee27cb6a2edd8a100e7731fc4977fcbe1517e17bbee2299d1ad426ac
SHA512df1f7f6453266b238ae5dd6cad98246ca4eb7d0a148331d5974b767f2bce9e51581dd142acbf0b80af419e85471bb8141d6fc76b0e1a53f3b0331a487795c327
-
Filesize
660B
MD5ef827095057da0304b070414f96230e4
SHA1e372fa409ff8f1f7bc950eff86d590f85bda04d8
SHA2567fb1e7504342090ae690591fb33d58c827b48257597796f79dfddd2cbfddf781
SHA512af3902bf9fcf867b6ec8e80cf5d0a64895b8cee0c54df99cf212a2231a230b89d8736260a62c93a4a5ca48a13bcda5c17a8307c70d8e9e540c3e064ae45ddc6f
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107